Bug exposes user data, as well as computers, Web cams, and other connected devices.

Share this story

More than 12 million routers in homes and small offices are vulnerable to attacks that allow hackers anywhere in the world to monitor user traffic and take administrative control over the devices, researchers said.

The vulnerability resides in "RomPager" software, embedded into the residential gateway devices, made by a company known as AllegroSoft. Versions of RomPager prior to 4.34 contain a critical bug that allows attackers to send simple HTTP cookie files that corrupt device memory and hand over administrative control. Attackers can use that control to read plaintext traffic traveling over the device and possibly take other actions, including changing sensitive DNS settings and monitoring or controling Web cams, computers, or other connected devices. Researchers from Check Point's malware and vulnerability group have dubbed the bug Misfortune Cookie, because it allows hackers to determine the "fortune" of an HTTP request by manipulating cookies. They wrote:

If your gateway device is vulnerable, then any device connected to your network—including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network—may have increased risk of compromise. An attacker exploiting the Misfortune Cookie vulnerability can easily monitor your Internet connection, steal your credentials and personal or business data, attempt to infect your machines with malware, and over-crisp your toast.

Determining precisely what routers are vulnerable is a vexing undertaking. Devices frequently don't display identifying banners when unauthenticated users access them, and when such banners are presented, they often don't include information about the underlying software components. Beyond that, some device manufacturers manually patch the bug without upgrading the RomPager version, a practice that may generate false positives when automatically flagging all devices running versions prior to 4.34. To work around the challenges, Check Point researchers performed a comprehensive scan of Internet addresses that probed for vulnerable RomPager services. The results showed 12 million unique devices spanning 200 different models contained the bug. Manufacturers affected included Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

Further Reading

Check Point has uncovered no evidence the vulnerability has been actively exploited, but researchers couldn't rule out such attacks, either. In-the-wild exploits might at least partially explain a rash of hacks earlier this year that remotely hijacked hundreds of thousands of routers on twoseparate occasions. What's more, Thursday's disclosure is likely to spur blackhats to begin exploiting the vulnerability.

The critical vulnerability was introduced in 2002, and a fix was made available three years later. As demonstrated by Check Point's finding that 12 million devices are susceptible to Misfortune Cookie attacks, the fix has yet to make its way into a significant number of routers. The bug has been assigned the identifier CVE-2014-9222.

The most sure-proof way for readers to make sure their devices aren't vulnerable is to make sure they are running RomPager version 4.34 or higher, although as noted earlier, it's possible routers running earlier versions may have been manually patched. Ars isn't immediately aware of any services end users can deploy to detect for vulnerable routers. This post will be updated if that changes. In the event a device is vulnerable, it's up to the end user to locate an update and flash the router, a process that's not always straight forward. Users may also want to consider alternative firmware. Administrators who oversee large fleets of vulnerable devices can consult this whitepaper made available by Check Point. If a router is believed to be vulnerable but can't be updated, users can also put it in bridge mode and deploy a secure device as the Internet dialer/gateway.

The risk stemming from the vulnerability goes well beyond attackers being able to monitor unencrypted data. It also includes attackers using a hijacked router to infect connected computers and Internet-of-things devices. Normally, routers act as a firewall that filters out such remote attacks. In the event it's affected by the Misfortune Cookie bug, they could become beachheads for attacking the rest of a local network.

Post updated to add Linksys as an affected manufacturer, change into and listing image.